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A1 Audit Information 


In the event of any questions arising from this report please contact Peter Cudlip, Partner 
(peter.cudlip@mazars.co.uk), Syed Shah, Senior Manager (syed.shah@mazars.co.uk) or Darren Jones, Manager 
(darren.jones@mazars.co.uk) 


Disclaimer 


This report (“Report”) was prepared by Mazars LLP at the request of the Information Commissioners Office (ICO) and terms for the 
preparation and scope of the Report have been agreed with them. The matters raised in this Report are only those which came to 
our attention during our work. Whilst every care has been taken to ensure that the information provided in this Report is as accurate 
as possible, We have only been able to base findings on the information and documentation provided and consequently no complete 
guarantee can be given that this Report is necessarily a comprehensive statement of all the weaknesses that exist, or of all the 
improvements that may be required. 


The Report was prepared solely for the use and benefit of the Information Commissioners Office (ICO) and to the fullest extent 
permitted by law Mazars LLP accepts no responsibility and disclaims all liability to any third party who purports to use or rely for any 
reason whatsoever on the Report, its contents, conclusions, any extract, reinterpretation, amendment and/or modification. 
Accordingly, any reliance placed on the Report, its contents, conclusions, any extract, reinterpretation, amendment and/or 
modification by any third party is entirely at their own risk. Please refer to the Statement of Responsibility in Appendix A1 of this 
report for further information about responsibilities, limitations and confidentiality. 
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01 Introduction 


As part of the Internal Audit Plan for 2020/21, we have undertaken a review 
of the Information Commissioners Office’s (ICO) core controls for human 
resources (HR). As part of the examination of key risks we reviewed the 
following areas: 


HR roles and responsibilities; 
Recruitment; 

Pre-employment checks; 
Appraisals process; 

Learning and development; 
Retention of high calibre staff; and 
Covid-19 response. 


The full scope of the review is included at Appendix A1. 


We are grateful to the Director of Resources, Head of Workforce 
Development and Planning, Head of HR and other staff for their assistance 
during the audit. 


The fieldwork for this audit was undertaken whilst government measures 
were in place in response to the Coronavirus Pandemic (Covid-19). The 
scope and fieldwork for this audit were impacted. This included working 
restrictions, specifically in respect of control arrangements for testing 
recruitment procedures and pre-employment checks. Information for these 
areas is retained on personnel files held within the office. Therefore, our 
opinion is reflective of the work completed, which does not cover the full 
scope and associated risks and controls. The areas that impacted our work 
included recruitment and pre-employment checks where we were unable to 
access hard copy information that is stored in the ICO office. 


We understand that ICO is working to adopting paperless working, which 
we support. This will help should documents be required while working ina 
remote environment. 


02 Background 


Successful organisations that can deliver against their strategic objectives 
are heavily reliant on capable human capital. In order to assess capability 
all employees are required to undergo a recruitment process and vetting for 
suitability for the role. Staff members are subsequently challenged through 
performance measurement and appraisals which through this framework, 
allows organisations to maintain standards but to also grow and improve. 


At ICO, HR is under the oversight of the Director of Resources and 
pperationally by the Head of HR, whose team is involved in recruitment and 
on boarding. Separately, learning & development and appraisals are 
managed by the Head of Workforce Development and Planning. 


Recruitment 


At ICO, any recruitment is required to first be authorised by the Director of 
Resources before any job posting can commence. Jobs are typically 
advertised through ICO’s website using the third-party integrated system, 
Vacancy Filler. Job descriptions and person specifications are posted 
alongside salary amounts. 


Vacancy Filler receives applications and other summary information 
including personal details which are only seen by the HR team. Hiring 
managers shortlist candidates using the vacancy filler platform. Shortlisting 
is completed by two panel members that score a candidate’s application 
form to identify the highest scoring candidates. The next stage may involve 
interviews or assessment centres depending on the role. 


Pre-employment checks 


For successful candidates, whom have received a conditional offer of 
employment, pre-employment checks are conducted. These checks include 
the legal requirement of “right to work”, health screening, qualifications, 
references and security clearances. 


All staff are required to receive a disclosure barring check (DBS), however 
dependant on the nature of the role, a more sensitive security clearance 
may be used such as Security Check or Developed Vetting. Roles requiring 
a higher level of clearance are stated within the job descriptions in the 
application stages. 
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Appraisals 


There is an annual performance and development review (PDR) process 
between line managers and direct reports, which is carried out between April 
and May each year. Currently PDRs completions are reported within 
CIPHR, ICO’s HR system which is managed by the HR Manager (Projects). 


Learning and Development 


There is a learning and development plan in line with corporate objectives 
and the needs of the organisation. With any learning and development 
requirements there is a need to assess the training needs of the 
organisation, deliver required content and measure the effectiveness. The 
Workforce Development and Planning Team undertakes a needs 
assessment based on vacancy gaps and skills gaps as identified by 
Directors and ad hoc assessments are also made at the operational level, 
between the workforce team and others. 


Staff retention 


Across the sector, staff retention and the subsequent hiring of new staff can 
be challenged by the higher pay and benefits offered in the private sector, 
in particular for specialist and technology roles. The ICO has identified it is 
more difficult to fill technology vacancies and so a cyber apprenticeship was 
launched by the ICO, in an attempt to grow existing talent within the ICO. 


Response to Covid-19 


Towards the end of March 2020, the UK Government requested all “non- 
essential” workers should work from home in response to the outbreak of 
Covid-19 pandemic. At ICO, staff were required to work from home and, as 
such, changes were made in the HR and Workforce Development and 
Planning teams. Restrictions to business as usual operations included no 
access to physical documents, identity verification as part of pre- 
employment checks and delivery of training courses were all changed and 
adapted to changes in working. 


Furthermore, as a result of Covid-19, many staff members’ holiday plans 
were changed which impacted annual leave administration, and in other 
cases childcare and other family obligations were increased as a result of 
the lockdown in UK. ICO has organised the implementation of Covid-credits 
a type of flexible working solution in response to the flexible hours required 
by its staff members 


03 Key Findings 


Assurance on effectiveness of internal controls 


Adequate Assurance 


Rationale 


In our review of the core controls within HR we have provided a “Adequate 
Assurance” assurance opinion. Our work identified some good controls for 
HR and Workforce planning that included the ICOs transparent recruitment 
processes, learning and development opportunities and rewards. 


However, we have identified a number of areas that ICO should seek to 
address in order to improve the control environment. These 
recommendations are included within Section 04. 


Priority Recommendations 


1. (Fundamental) - 


2. (Significant) 


2 
3. (Housekeeping) 3 


TOTAL | 5 
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Areas of Strength 


A People strategy is in place which aims to inspire high performance, be 
a well-regarded employer that attracts and retains talent, and develop 
and maintain an expert and resilient workforce. The strategy provides 
the expectations required from the HR core functions and how their work 
contributes to the wider organisation. 


= A Recruitment policy is in place which sets out the methods of 
recruitment in order to ensure recruitment is administered in a fair and 
consistent process. In addition, the recruitment process is made 
available to all candidates through the ICO’s website on the “Jobs” 
section. 


= We tested a sample of five live vacancies and confirmed the latest job 
descriptions and person specifications are included within the job 
adverts. Salary amounts are made known to applicants within the job 
advert and their corresponding salary pay scales are correct for the pay 
scales in 2019/20. 


= The ICO aims to provide competitive salaries for its staff members. 
Although salaries are fixed within its pay scales these pay scales are 
negotiated upon and agreed with trade unions before implementation. 
We confirmed the pay scales for 2019/20 were agreed on the 19 June 
2020. 


= The ICO has understood their salary offerings by benchmarking reports 
from their retained Executive Search Agency, Hays. We confirmed 
benchmarking was carried out in 2017 and 2019. 


= There is a revised new starters checklist in place which considered the 
recommendations with a previous internal audit on Payroll. Although we 
were not able to test for the control effectiveness due to testing 
restrictions from Covid-19. 


= A guidance document on the Personal DevelopmentRecord (PDR) was 
produced in April 2020. The document provides information of the PDR 
process, objectives and how discussions could be shaped to focus 
improvements in the individual. This guidance is designed to help line 
managers and their staff to build quality and meaningful PDRs. 


= We sampled tested nine PDRs and found eight were completed in a 
manner which fulfilled the objectives of PDRs. 


= There is top-down communication from the Director of Resources in an 
organisation wide email encouraging the completion of PDRs and 
recording the completion within MINFO. 


= Learning needs are identified in several ways at the ICO including 
informal meetings held by Learning and Development staff to Workforce 
Planning questionnaires completed by Directors which aim to identify 
skills gaps within their directorates. 


= Rewards and opportunities to pursue qualifications are available at the 
ICO which includes new Cyber apprenticeships and Management 
apprenticeships. There is a Qualifications policy and Procedures for 
Training Request which help to guide staff towards more tailored 
qualifications which help the ICO to retain its talent. 


deliver the strategy. 


Risk Management 


Within the latest Risk and Opportunity Register from June 2020, ICO has 
identified one risk related to the HR core controls; 


R29: Technology Relevant Regulator: (Cause) Insufficient resources, 
knowledge, training and external engagement prevent the ICO from (Threat) 
engaging with and effectively regulating emerging technology-based threats 
to information rights (Impact such that is, impeded in fully achieving all of its 
IRSP goals, in particular goal #6 and results in poor reputation perception of 
the ICO as a relevant regulator for cyber related privacy issues” 


R29 is identified as having a current risk score of Amber-12 and a target 
score of Green-4 after the implementation of mitigating actions. Although 
several actions are identified as being technology related and under the 
ownership of the Deputy Commissioner, there are two HR controls related 
actions which include: 


e Technology Strategy developed and additional staff being recruited to 
the Technology Policy Department to provide appropriate resource to 
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e Staff being recruited to the Internet Economy Team within Privacy 
Innovation. 


There are two more risks notably; R73, R2 which identify HR policies and 
delivery of training as the mitigating actions for the two risks. 


We understand ICO’s review of HR policies is not completed yet and as such 
these risks cannot be considered as mitigated. This is included in Section 
04, recommendation 4.1. 


Security clearance of new starters 


There are a number of roles at ICO that require a higher level of security 
clearance. These clearances can at times take up to 4 months or longer if 
the individual has worked overseas. For these cases, ICO will start the 
employment on a probationary basis until the full security clearances have 
been received. This presents a risk to ICO should clearances provide 
negative results. 


From discussions with management we understand that the decision on the 
timing of the security clearances has been considered in detail in regard to 
the risk. ICO, on balance of the risk, have taken the view that failing to fill 
the role due to the length of time required to receive the security clearance 
is greater than enabling the m to join on probation. We have therefore not 
made a recommendation for this. 


Value for Money 


HR roles and responsibilities 


Allocation of tasks and duties is important to avoid duplication of effort, this 
is particularly important in large teams where outputs are largely process 
driven. The HR team has mapped out the tasks and responsibilities required 
within recruitment and on-boarding which has helped drive efficiency and 
effectiveness as staff are aware of their responsibilities within a given 
process. 


Recruitment 


The largest costs typically associated with recruitment is the use of 
recruitment agencies and temporary staff. We understand the ICO utilises 
Hays Recruitment to fill roles that are grade F and above. However, we 
understand efforts to recruit using the ICO website and advertising on job 
boards and publications are carried out concurrently with the use of other 
recruitment agencies. 


We completed sample testing of 10 new starters, and we noted four staff 
members were recruited using a recruitment agency. Although recruitment 
agencies are useful intermediaries in finding the best candidates, 
nonetheless their use should be minimised due to their prohibitive costs. We 
noted from the latest management accounts available (April 2020), the ICO 
is expecting an overspend of £153,000 on recruitment and training for the 
financial year. We understand this is due to some specialist roles that are 
harder to recruit and therefore more cost is incurred through recruitment 
agencies. 


Many public sector organisations have taken the approach to reduce their 
reliance by designing recruitment strategies, upskilling their staff in 
performing executive searches, targeted recruitment campaigns and 
connecting with social media platforms such as LinkedIn to post jobs. 


Pre-employment checks 


Pre-employment checks are an important part of confirming the successful 
candidate’s legal right to work in the UK but to also verify character and 
experience. VfM for pre-employment checks is the efficiency to which these 
checks can be carried out, as highly capable candidates may receive other 
competing employment offers and therefore organisations may miss out on 
their preferred candidates if this process is slow. 


We noted the allocations of roles and responsibilities help to make the pre- 
employment checks more efficient, however, there are job roles within the 
organisation which require higher levels of security clearance which includes 
Security Vetting or Developed Vetting. 


The ICO’s Recruitment Policy suggests these may be undertaken after the 
staff member has already started their job with the ICO and, as such, their 
employment may be affected if security clearance is not granted. We have 
made a recommendation with the approach of the policy, as clearances 
should be checked prior to the start of employment to avoid restarting 
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recruitment campaigns or the possible damages required for the ICO to end 
an employment contract. 


Appraisals process 


Most organisations find VfM in the appraisals process when there is buy in 
from the whole organisation, since this facilitates the seeking of improvement 
but also recognition for all staff members, which is a positive experience for 
the organisation. We tested appraisals completion through the MINFO and 
noted the completion rate was approximately 34% at ICO. We have raised a 
recommendation in relation to this in Section 04, recommendation 4.4. 


A well-maintained learning and development budget and targeted 
development offering based on organisational needs offers the greatest VfM. 
The ICO has tracked its learning and developed budgets and we noted it 
came under budget by £87,428 in 2019/20. Training and development 
expenditure is currently under budget by £440,447 year to date, although this 
is a direct result of Covid-19 and the unavailability to deliver certain training. 
ICO has adapted by delivering workshops over Microsoft Teams instead 
which has saved incidental costs such as venues and travel costs. 


There is targeted delivery of training at ICO through the analysis of needs 
conducted by the Head of Workforce Development and Planning and the 
Directorate Planning responses captured as part of directorate planning as 
completed by ICO’s directors. 


Retention of high calibre staff 


Although the public sector may find competing with private sector salaries 
and rewards challenging, it is important to identify a strategy to retain high 
performing staff members. 


A People strategy is in place with one of the objectives identified as retention 
of staff. This is carried out through the rewards strategy which is in place at 
ICO. Furthermore, there is a recognition policy and personal development 
opportunities including qualifications and training which all contribute to 
offering an attractive proposition to staff retain their roles within ICO. 


Covid-19 response 


Whilst Covid-19 has presented a disruption this has not been significant to 
ICO with only minimal requirements for business continuity which has 


allowed ICO to continue business as normal. We note while the Workforce 
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Development and Planning Team has had minimal changes to their work 
and although training is now delivered on Microsoft Teams, this has saved 
costs on venue and travel costs. 


The HR team has met several challenges, given much of their working has 
previously relied on personnel information within physical folders. Although 
we noted this has since moved towards electronic filing, we have found key 
information misplaced electronically or not filed within our sample testing of 
starters and their recruitment and checks information. The ICO will likely be 
required to find the most efficient and cost-effective method of converting 
files into a digital format. We have made a recommendation in relation to this 
in Section 04, recommendation 4.6. 


Sector Comparison 


The Civil Service Commission set out Recruitment Principles in 2018/19. The 
principles outline requirements for public bodies regarding selection panels, 
information made available to applicants, evidence, decision-making, and 
exceptions. From our review of ICO’s recruitment policies, and tested 
practices, we noted no instances where ICO’s procedures appeared to 
diverge from these principles. 


Difficulties in retaining employees have been increasing throughout the UK, 
with the Chartered Institute of Personnel and Development (CIPD) 
completing a survey in this area in 2017. The results of this survey indicated 
that the most popular step taken to improve staff retention was through 
increasing learning and development opportunities. An improved induction 
process and improved benefits also received high scores in the survey. We 
confirmed learning and development is well integrated at the ICO, with 
specific apprenticeships and qualification opportunities available to foster 
more tailored growth in conjunction with organisation training needs. 


In many organisations, personal development reviews and appraisals are 
increasingly aligning personal development goals towards organisational 
objectives and values in order to achieve goal congruence. A golden thread 
analogy is often used to link the organisational strategy, annual plans and 


how each development objective directly contributes towards a plan 
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objective. We noted the ICO has not adopted this method of organising their 
personal objectives. 


Across different sectors, many organisations previously accelerated their IT 
strategy implementations in response to the UK incorporating GDPR 
regulations on the 25 May 2018. This was done so to minimise the use of 
paper when storing personal information. Many changes were made to adopt 
paperless processes especially within HR teams. We note in comparison, 
the ICO requires more reliance on paper and behind comparable peers in 
the public sector for HR administration, we have raised a recommendation 
to this effect within Section 04 of this report. 
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04 Areas for Further Improvement and Action 


Definitions for the levels of recommendations used within our reports are included in Appendix A1. 


We identified a number of areas where there is scope for improvement in the control environment. The matters arising have been discussed with management, 
to whom we have made recommendations. The recommendations are detailed in the management action plan below. 


Observation/Risk Recommendation Priority Timescale/ 
responsibility 


Hiring manager’s training 


Observation: As part of a fair and consistent | The ICO should _ investigate The ICO will review the process for | Head of WDP 
recruitment process, hiring managers are required | whether training recording issues recording training and see if any 
to undertake training which includes Unconscious | persist. issues persist. 


Bias, and Recruitment & Selection. 
The process will be reviewed to Endat Deg 


Within our sample testing we reviewed five hiring ensure that all training is recorded 2020 
managers and it was evidenced from training 
records, four hiring managers were recorded as 
fully trained and one hiring manager that had 
completed half the training required. 


Further investigation of this issue identified that the 
training had been completed but there had been an 
issuing recording this as completed. 


Risk: Recruitment does not follow a fair and 
consistent process 


Appraisals completion 


Observation: We reviewed PDR completion data | The ICO should evaluate and plan HR team will re-issue instructions | Head of HR 
held on MINFO which was retrieved on the 6 |to ensure PDR completion is for recording the completion of 
August 2020. This showed that completion rates | widespread across the PDRs on Minfo and monitor the 
across ICO where 34%, although it is understood | organisation. 


completion. This will be reported 


ICO - HR Core Controls — September 2020 Page 9 


IW MAZARS 


Observation/Risk 


staff on probation will not have a PDR in place 
which places 34%, a lower indication than actual. 


As well Covid-19 presenting an issue with 
completion, we understand there has been an IT 
issue that limited the number of people being able 
to access ICO systems, including MINFO that is 
used for the PDRs. These two factors together 
have had a significant impact on the completion 
rates across ICO. 


Furthermore, there is currently no reporting of 
PDR completion rates reported to senior 
management. 


Risk: Staff performance is not reviewed at regular 
intervals by line managers. 
4.3 | HR policies 


Observations: The People strategy launched in 
November 2018 has identified one of its priorities 
as “Recruiting the best possible people”. 


One of the identified actions to deliver the priority 
was to “...actively ensure policies, working 


practices and environments are conducive to 
attracting and retaining staff with a diverse range of 
skills.” 


We have noted the following policies that would 
benefit from a review to ensure procedures are up- 
to-date and they fulfil the action of developing an 
attractive environment to work in include; 
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Recommendation 


PDR completion rates should be 
tracked and reported to senior 
management as part of 
performance reporting. 


The ICO should ensure HR policies 
and procedures are regularly 
reviewed and updated where 
necessary. 


Typically, many organisations will 
review policies on timeframes 
between one to three years. 


Version control and review dates 
are also included for audit and 
administration purposes which is 
useful should earlier iterations of 


Timescale/ 
responsibility 


on annually to the ICO Resources 
Board 


Policy review process is underway 
and policies. 


The ICO will ensure that there is 
an annual review to determine is 
any policies require amending 


End of 
November 
2020 


Head of HR 


End of 
November 
2020 
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4.4 


Observation/Risk 


Career Break - October 2011 
e Dignity at work - September 2006 
e Grievance - October 2006 

e Maternity - May 2015 


The Director of Resources has explained the 
policies were currently in draft and undergoing final 
consultation with trade unions at the time of our 
review. Whilst the policies are old, in consideration 
of them currently in draft we have prioritised this as 
housekeeping. 


Risk: Recruitment does not attract the right 
candidates for the job roles and/or does not a fair 
and consistent process. 


Workforce planning model 


Observation: A workforce planning model is 
identified as one of the solutions for ensuring the 
assessment for short and long-term workforce 
planning needs are met. The workforce model was 
submitted as part of a review into Workforce 
Planning 2019/20 to 2022/23 to the Corporate 


Strategy & Planning Steering Group on 9 May 
2019. 


We note the workforce planning model is a fluid 
process with an update due to go to Management 
Board. We do not that there is no formal reporting 
process. 


In addition, although there is feedback from 
individual training on content and how this is 


Recommendation 


policies are required to be 
reviewed. 


The Workforce planning model 
should be formally reported on 
regular basis with consideration 
given to the overall training needs 
and delivery across ICO. 


Priority 
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The Workforce Planning model is 
being updated and will be 
reviewed at management board in 
November and then again in Feb 
2021. 


Timescale/ 
responsibility 


Director of 
Resources 


Nov 2020 
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4.5 


Observation/Risk 


delivered, ICO would benefit from an evaluation of 
the overall training across the organisation. 


Risk: The ICO is unable to effectively upskill its 
workforce 


Job descriptions and person specifications 


Observation: We completed sample testing of 10 
new starters that had joined ICO from April 2020 
onwards, for recruitment and checks controls. 


We noted four positions were hired using job 
descriptions and person specifications that were a 
few years old. The four positions related to three 
Case Officers and one Executive Assistant. 


The Case Officer’s job description was last updated 
in 2014 and the Executive Assistants’ was 
previously updated in 2010. 


Although understandably the job descriptions 
remain effective, there is a requirement, according 
to the Recruitment policy, for hiring managers to 
meet with HR to discuss recruitment requirements 
and confirm job descriptions are up to date. 


From our review we were not able to ascertain 
whether the job descriptions and person 
specifications are up to date. 


Risk Recruitment does not attract the right 
candidates for the job. 


Recommendation 


The ICO should ensure job 
descriptions and person 
specifications are updated when 
they are last reviewed to ensure 
the latest information is submitted 
as part of the job posting. This 
should be recorded by including a 
review date on the job description. 


Priority 
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The HR advisors will include a 
latest reviewed date and or 
verified date 


Timescale/ 
responsibility 


Head of HR 


November 
2021 
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A1 Audit Information 


Review Control Schedule 


Client contacts: 


Andrew Huber, Director of Resources 


Emma Titley, Head of Workforce 
Development and Planning 


Mike Collins, Head of HR and Facilities 
Amy Walthall, HR Manager (Projects) 
Katy Hulme, HR Manager 

Fiona Eaton, HR Advisor 

Angela Downey, HR Assistant 


Deborah Toone, Learning and 
Development Manager 


Jo Taylor, Learning and Development 
Advisor 


Management responses 23 October 2020 


received: 


Final report issued: 23 October 2020 


Internal Audit Team: 


Peter Cudlip, Partner 
Darren Jones, Manager 


Cooper Li, Internal Auditor 


Exit Meeting: 17/08/2020 
Last information 17/08/2020 
received: 

Draft report issued: 10/09/2020 


Scope and Objectives 


Our audit considered the following risks relating to the area under review: 


HR roles and responsibilities- Staff do not know what they are 
responsible for or how to carry out their duties, leading to non- 
compliance with ICO’s policies and procedures 


Recruitment- Recruitment does not attract the right candidates for the 
job roles and/or does not follow a fair and consistent process 


Pre-employment checks- Staff are recruited without the full 
completion of employment checks including right to work and security 
clearances 


Appraisals process- Staff performance is not reviewed at regular 
intervals by line managers 


Learning and development- ICO is unable to effectively upskill its 
workforce 


Retention of high calibre staff- ICO is unable to retain its high 
performing staff members 


Covid-19 response- HR practices are unable to adapt to; 
o Remote working 


o The increased administration demands as a result of 
changes in staff working hours and any other relevant 
changes as a result of Covid-19. 
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The objective of this audit was to evaluate and assess the adequacy and 
effectiveness of the ICO’s arrangements for HR Core Controls. 


Definitions of Recommendations 


Priority 


Description 


Testing was carried out on a sample basis by a member of the Internal 
Audit Team. Our work does not provide any guarantee against material 
errors, loss or fraud or provide an absolute assurance that material error, 
loss or fraud does not exist. 


Priority 1 
(Fundamental) 


Recommendations represent fundamental control 
weaknesses, which expose the organisation to a 


Priority 2 Recommendations represent significant control 

= (Significant) weaknesses which expose the organisation to a 
Definitions of Assurance Levels moderate degree of unnecessary risk. 

Substantial Our audit finds no significant weaknesses and we feel Priority 3 Recommendations show areas where we have 

Assurance: that overall risks are being effectively managed. The (Housekeeping) highlighted opportunities to implement a good or 


Adequate 


Assurance: 


Limited 
Assurance: 


issues raised tend to be minor issues or areas for 
improvement within an adequate control framework. 


high degree of unnecessary risk. 


better practice, to improve efficiency or further 
reduce exposure to risk. 


There is generally a sound control framework in place, 
but there are significant issues of compliance or 
efficiency or some specific gaps in the control 
framework which need to be addressed. Adequate 
assurance indicates that despite this, there is no 
indication that risks are crystallising at present. 


Weaknesses in the system and/or application of 
controls are such that the system objectives are put at 
risk. Significant improvements are required to the 
control environment. 
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Statement of Responsibility 


We take responsibility to the Information Commissioner's Office (ICO) for 
this report which is prepared on the basis of the limitations set out below. 


The responsibility for designing and maintaining a sound system of internal 
control and the prevention and detection of fraud and other irregularities 
rests with management, with internal audit providing a service to 
management to enable them to achieve this objective. Specifically, we 
assess the adequacy and effectiveness of the system of internal control 
arrangements implemented by management and perform sample testing on 
those controls in the period under review with a view to providing an opinion 
on the extent to which risks in this area are managed. 


We plan our work in order to ensure that we have a reasonable expectation 
of detecting significant control weaknesses. However, our procedures 
alone should not be relied upon to identify all strengths and weaknesses in 
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internal controls, nor relied upon to identify any circumstances of fraud or 
irregularity. Even sound systems of internal control can only provide 
reasonable and not absolute assurance and may not be proof against 
collusive fraud. 


The matters raised in this report are only those which came to our attention 
during the course of our work and are not necessarily a comprehensive 
statement of all the weaknesses that exist or all improvements that might 
be made. Recommendations for improvements should be assessed by you 
for their full impact before they are implemented. The performance of our 
work is not and should not be taken as a substitute for management’s 
responsibilities for the application of sound management practices. 


This report is confidential and must not be disclosed to any third party or 
reproduced in whole or in part without our prior written consent. To the 
fullest extent permitted by law Mazars LLP accepts no responsibility and 
disclaims all liability to any third party who purports to use or rely for any 
reason whatsoever on the Report, its contents, conclusions, any extract, 
reinterpretation amendment and/or modification by any third party is entirely 
at their own risk. 


Registered office: Tower Bridge House, St Katharine’s Way, London E1W 
1DD, United Kingdom. Registered in England and Wales No 0C308299. 
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